Erlang OTP SSH Excessive Resource Consumption Vulnerability via Unverified SFTP File Handles

A vulnerability in the SSH server implementation of Erlang OTP, specifically in the SFTP module, allows authenticated users to cause excessive CPU and memory usage. This resource exhaustion can lead to degraded system performance and stability. The issue arises from the server not properly verifying the size of file handles received from clients, allowing handles longer than the 256-byte limit specified in the SFTP protocol to be processed. The vulnerability affects Erlang OTP versions 17.0 through 28.0.3, as well as versions 27.3.4.3 and 26.2.5.15. In terms of the SSH application within OTP, the vulnerability impacts versions 3.0.1 through 5.3.3, as well as 5.2.11.3 and 5.1.4.12.

Impact

Excessive CPU and memory consumption from unverified file handles can disrupt normal system operations, potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by sending SFTP file handle strings longer than 256 bytes from an authenticated client to the SSH server. The server will accept these handles without proper validation, causing excessive resource usage.

Remediation

Users can upgrade to Erlang OTP versions 28.0.4, 27.3.4.3, or 26.2.5.15, all of which include the necessary patch. Alternatively, SFTP can be disabled or the maximum number of allowed sessions for the SSH daemon can be reduced to complicate exploitation.